Machine-to-Machine communication (M2M) is a network application and service whose core is intelligent machine interaction. In Machine-to-Machine communication, a wireless or wired communications module and application processing logic are embedded in a machine, so as to fulfill information-based requirements of a user for monitoring, commanding and dispatching, data collection and measurement, and the like. In an M2M system, various M2M devices such as various sensors directly access an M2M service platform using an M2M gateway, to implement various M2M services, for example, electricity meter reading and smart household. A service capability provided by the M2M service platform can be used to obtain data collected by an M2M device, or to perform control and management on an M2M device.
In an existing M2M specification, by using a RESTful (Representational State Transfer) architecture, any M2M device, M2M gateway, or M2M service platform and a service capability provided by them can be abstracted as resources and have unique resource identifiers, that is, URIs (Uniform Resource Identifier). A corresponding access right may be set for each accessed resource, and an access control policy resource such as an ACP (accessControlPolicy) resource is used, to implement an access control function of the system for an accessed resource.
When receiving a resource request message of an access device, a device to which an accessed resource belongs obtains a corresponding access control policy resource according to an access control policy identifier accessControlPolicyID of the accessed resource. Each access control rule of the access control policy resource may be considered as a 3-tuple <accessControlOriginators, accessControlContexts, accessControlOperations>, where accessControlOriginators indicates an identifier (which may be a CSE-ID, an AE-ID, or a serviceProvider domain, or may be all) of an access device that has operation permission; accessControlOperations indicates operation permission (which may include one or more of retrieve, create, update, delete, discovery, or notify) permitted by the rule; and accessControlContexts is optional and defines conditions, for example, being within a time range and being within a geographical region, for which accessControlOriginators has the operation permission specified in accessControlOperations. In an optional manner, a value of accessControlContexts may be null, that is, the conditions for the operation permission are not limited and described. The device to which the accessed resource belongs determines, according to whether the accessControlOriginators attribute in the obtained access control policy resource includes an identifier of the access device and whether the accessControlOperations attribute includes an operation requested by the access device on the accessed resource, whether the access device has a right to access the accessed resource. Only when both the two conditions are satisfied, it indicates that the access device passes an access control right check.
In the M2M system, the access device identifier is used to identify an identity of the access device. Specifically, the access device may be an application entity (AE) or a common services entity (CSE). The access device identifier is allocated by a common services entity with which the access device registers. That is, the access device identifier is allocated by a registrar CSE (which is uniformly referred to as a registrar). In a current system, when an allocated access device identifier of a same access device changes because the access device registers with different registrars, or for another reason, the access device cannot use an original access control policy configured for the access device in the M2M system. An AE is used as an example. When an AE registers with a CSE1 for a local ID, an AE-ID1 is allocated to the AE. After the AE is offline, and when the AE registers with a CSE2, an AE-ID2 is allocated to the AE. In this case, when the identifier of the AE in the M2M system changes, an original authorization relationship (for example, an ACP) associated with the AE-ID1 cannot be applied to the new AE-ID2, and an administrator needs to reset or add an ACP for the AE-ID2. This greatly affects service continuity and user experience of an M2M device. For example, in an M2M system, an ACP resource corresponding to a resource X is shown in the following table:
access-ControlOriginatorsaccessControlContextsaccessControlOperationsAE-ID1/Retrieve/Create
It can be learned from the table that an access device corresponding to the access device identifier AE-ID1 has a retrieve or create access right for the resource X. However, when the access device identifier allocated by the M2M system changes to the AE-ID2 for some reason, for example because the access device registers with another registrar, the ACP resource cannot be applied to the access device, and the access device cannot obtain the retrieve or create access right for the resource X.